Tuesday, 5 January 2016

Bank of Montreal has horrible password policies and does not store them securely

One of the aspects of a bank is that it generally touts some pretty decent physical security controls. They maintain a safe in every branch to ensure valuables cannot be taken without authorization and they generally require some level of identification in order to make a transaction. However, it doesn't appear to be the case when it comes to some banks' online services.

It was made aware to me that Bank of Montreal (BMO) has a very inadequate password policy for its online banking service, stating that you could only use the letters A-Z and the numbers 0-9 to a maximum of six characters with no special characters such as ampersands or spaces.

This seems really problematic considering that most people with decent knowledge in security would recommend a minimum of 8 characters to start, ignoring the whole special characters problem here.

A Real Problem

On the surface, BMO's problem seems almost benign: it's a really weak password scheme. However, it gets worse when you start to examine it closely.

One may think that with these restrictions that there would be 62^6 possible combinations based on that keyspace, or 56 billion possible passwords based on the assumption that they're allowing upper-case and lower-case characters and the digits 0 through 9.

However, we get no indication of such and in fact we're told that the password is used to access online, mobile, and telephone banking. Here's a picture to illustrate where this becomes a huge gaping problem:

When you sign into your telephone banking, you're prompted for the very same password and are told to enter the password based on the letters on your dialpad. What does this mean? Well here's a list of passwords:

All of these passwords are the same when you use your telephone banking--assuming you have the password dialed in as "788743". When you go into BMO's online portal to set your password, it's not storing the password but the digits it will look for when you press them into your phone. So if you were to set your password to "stupid", it would become "788743".

This all would mean that in addition to that password, you could also input "788743" or any of the above list and you'd be able to authenticate just fine. As a result, instead of 56 billion possible passwords it really just boils down to a million. BMO claims that it has over seven million customers, so we don't have quite a lot of passwords to go around here.

I had two BMO customers test this out and they were able to log in with passwords that did not match what they had intended. If you want to try this out for yourself, make a mental note of your password, look at your telephone keypad, and then just jumble the letters around based on which digit your existing password matches.

This is stupid and unfortunately not unique to BMO either as I have heard of anecdotes where other banks in the United States have similar systems in place.

Do any of the big banks do password security right?

TD does. Here's how it looks when you attempt to set a password:

That implies to me that they on the surface store the password in a sane manner because I can put anything I want into the field as long it meets their requirements. Since I am setting this password via a password manager and it's accepting it, everything appears to be in good order.

What does BMO have to say about it?


BMO declined to reply on Twitter about the matter and instead opted to request I provide some contact details so they could go off-the-record to explain why they have such a lousy password policy.

If you're looking for a major bank in Canada that likely has better online banking security, go for TD or someone else that has taken the time to upgrade their banking services to work in the 21st Century.


  1. Oh do they allow letters in their passwords now? Back in the day it was numbers only. I wonder how many of us still have a six digit numerical password.

    1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
      Cyber Security Projects for Final Year

      JavaScript Training in Chennai

      Project Centers in Chennai

      JavaScript Training in Chennai

  2. Well I hope BMO is willing to absorb all the freud which will inevitably ensue... They deserve to lose every penny of it!... Where are they getting their IT personnel?... They are obviously clueless...

  3. Oh do they allow letters in their passwords now? Back in the day it was numbers only. I wonder how many of us still have a six digit numerical password.

  4. This is one of the reasons I no longer do much business with BMO. I am not even prompted for security questions anymore (and yes everything has been cleared from my browser and I have used different IP addresses, browsers etc...) so that is a pretty much useless feature. It is a waste of time to explain to the BMO that a 6 character password is weak and totally inappropriate for a bank to mandate. You shouldn't have to explain this to anyone let alone a major financial institution if they can't even agree on the fundamental aspects of password entropy and strength. Even PCI compliance states that passwords should be at least 7 characters in length. If you contact BMO (which I have at times in the past) they will simply reiterate that they take security very seriously and divert the discussion to a "defense in depth" argument. There is no credible security organization or professional that would agree with BMO's stance on passwords.

    I'm not sure how you know that BMO does not store passwords securely (i.e. salt and a secure hash.) However, I would not be surprised if they stored them as clear text or used MD5 hashes or something stupid like that. They could very easily give users the option to use strong passwords and passphrases but I doubt they ever will unless they are forced to by the government. There is no knowing what else they are doing either in the design or implementation of their systems that potentially puts user's financial data at risk. I cannot recommend BMO to someone who values their personal financial information.

  5. Somehow I have a 9 digit password for online BMO online banking. Not sure how I am allowed that??

  6. try entering only the first 6 and you will be surprised to discover something....

  7. Just saying thanks wouldn’t just be enough, for the fantastic fluency in your writing. chrome password manager